June 25, 2016

Here at Hack All The Things, our development team has been working around the clock for more than 18 months to bring you the
best professional training for zero-day exploit development and mitigation available on the market. We're proud to present
Dr. Owen Redwood's completely revamped Offensive Computer Security Course,
as well as our entirely new and innovative SQL injection workshop. In addition to the course and
workshop, we've developed various tools, some of which are publicly available on github, with the remainder
available privately for our pre-launch customers. For pricing or questions about these offers, you can reach out by emailing
sales [at] hackallthethings.com or through Twitter or Reddit. Interested parties may also simply comment on this blog post, and we will respond via email without publishing your comment.
For news and updates, follow our twitter and subscribe to /r/hackallthethings.

Pre-Launch Specials

Exclusive Prelaunch Order Bonuses

"Hack All The Things" T-shirt

Waived final exam fee (where applicable - a $500 value)

Operating System Security Guide (a $250 value)

Exclusive discounts after launch

As we will be launching very soon, we've decided to offer pre-launch specials (including exclusive pre-launch discounts and add-ons)
on two of our products: the interactive SQL injection workshop (available for pre-order), and Dr. Redwood's Offensive Computer Security 2.0
(available for immediate access). As well as receiving the normal pre-launch order bonuses, each course offers its own exclusive pre-launch
benefits.

Offensive Computer Security 2.0's Pre-launch Sale Benefits

Bonus Workshop Videos

C/C++ vulnerability fundamentals

Stack & heap vulnerabilities

Integer bugs

Pointer bugs

Format string vulnerabilities

UAF exploitation workshop

ROP exploit development workshop

Web exploitation workshop

All pre-launch purchases of the OCS courseware exclusively include individualized instructor feedback and grading by Dr. Redwood,
and access to the Hack All The Things academic "CTF Summer Sessions" workshop videos. These workshop videos are currently exclusively
offered to university students (.edu) over the course of 2016, and are hosted live for the 3-timeCCDC champions: HackUCF.
The CTF Summer Session workshop videos start by covering the fundamental offensive cybersecurity topics, then dive in deep with hands-on walkthroughs on real
CTF exploitation challenges. There are limited seats available for this pre-launch special due to the time intensiveness of individualized instruction and manual
grading. Enroll now to secure your seat!

SQL Injection Workshop Pre-order Benefits

PoC Features

Automated testing for SQL injection vulnerabilities

Automated exploitation for multiple types of injection:

In-band injection

Error-based injection

Second-order injection

Partial-blind injection

Full-blind injection

An interactive SQL shell for post-exploitation

The SQL injection workshop pre-orders will provide exclusive pre-release access to our feature-rich SQL injection proof-of-concept script
(video demo). When watching the video, keep a keen eye out for visibility notices, which it prints as it retrieves
multiple bits per request from blind injections!

Pre-orders will also grant immediate access to our innovative SQL injection sandbox, which allows the user to choose from in-band, error-based,
second-order, partial-blind, and full-blind vulnerability types. The vulnerability sandbox also provides an interface to configure the vulnerable
input's data type, and multiple types of bareword and character filters (as well as the way these are filtered). It also contains a debug panel showing
the user the application-generated SQL query and any SQL errors it may have caused.

All features of the proof-of-concept script are fully documented in the workshop, along with the basics of SQL and the anatomy of a SQL injection.
Additionally, the workshop explains countermeasures to SQL injection and methods of circumventing several of them. The workshop also details the
ways in which multi-byte characters can remove sanitizing from an input.

Offensive Computer Security 2.0

Prerequisites

Familiarity with C/C++

Comprehension of Assembly

Basic understanding of security concepts

Capability to setup and use a Virtual Machine

This course is for anyone who wants to become an incident responder, penetration tester, security professional,
forensics professional, or vulnerability researcher. It includes ten assignments, two tests, and a final exam.
Upon successful completion of the course, students will have found their own 0-day vulnerability and obtained a
CVE for it. Books that will be used throughout the course
are Hacking: The Art of Exploitation (2nd edition - Jon Erickson),
and The Web Application Hacker's Handbook (2nd edition - Dafydd Stuttard).

Lecture Videos

Secure C Programming 101, 102, and 103

Auditing C code for vulnerabilities

Linux OS Overview and the permissions spectrum

Windows OS & API overview

Rootkit design for Linux & Windows

Reverse Engineering x86 101 & 102

Fuzzing binaries for vulnerabilities 101, 102, and 103

Exploit Development 101, 102, 103, 104, 105, and 106

Use-After-Free exploit development

Networking 101 & 102

Web Exploitation 101, 102, 103, and 104

Forensics

Social Engineering

Physical Security

Post-exploitation techniques

Graduates will be able to identify, classify, exploit, and mitigate a variety of vulnerability types, including:

Stack and heap buffer overflows

Integer overflows/underflows

Use-after-free vulnerabilities

Format string vulnerabilities

Pointer-based vulnerabilities

SQLi vulnerabilities

XSS vulnerabilities

XSRF vulnerabilities

Metacharacter injection vulnerabilities

Network protocol vulnerabilities

Dr. Redwood's Offensive Computer Security course materials are currently being taught at multiple universities across
the world. The courseware has been used by CTF clubs to improve the skills of their members, and professors have utilized
the course as an additional elective towards information security degrees.

This workshop is for anyone who wants to become a better defender, incident responder, security professional or vulnerability researcher
regardless of experience level. It also provides explanations of SQL injection techniques in MySQL, PostgreSQL, Microsoft SQL Server,
and Oracle environments. Each segment provides interactive examples of the techniques provided in the workshop through the SQL injection sandbox.
The student is provided with interactive CTF-style skill assessments and quizzes through the sandbox between sections. This ensures they are
learning and retaining the material as they proceed through the various segments of the course.

This workshop fully explains the methods in which out-of-band vulnerabilities can allow the attacker to retrieve multiple bits per request, both
with partial blind injections and fully blind (timing-based) injections.

The proof of concept video shows these techniques in action. Combined with the interactive
sandbox and the proof of concept, this workshop takes education on SQL injection to the next level!

SQL Injection and Sanitizing

Web applications sanitize the apostrophe (') character in strings coming from user input being passed to SQL statements using an escape (\) character. The hex code for the escape character is 0x5c. When an attacker puts an apostrophe into a user input, the ' is turned into \' during the sanitizing process. The DBMS does not treat \' as a string delimiter and thusly the attacker (in normal circumstances) is prevented from terminating the string and injecting malicious SQL into the statement.

If a multi-byte character supported by the server ended in the hex code 0x5c, it is possible for an attacker to insert the prefix to this character before the apostrophe, so that the escape, in combination with this prefix, turns into a different character altogether and allows the single quote to escape the string input unscathed. While this idea isn't necessarily new, finding research online that includes an entire list of character sets and characters is cumbersome at best. This article attempts to put all of the research and tools in one place.

Researching Multi-byte Character Sets

A small python script was devised to determine which character set and characters within them contained multi-byte characters ending in 0x5c. The script iterates over all installed character sets and then inspects their hexadecimal values for each character. A list of character sets found to contain valid multi-byte character sets ending in 0x5c is provided in Figure A. Additionally, a video of running the script has been provided to show what the output should look like in Figure B.

Conclusion

In conclusion, there are hundreds of multi-byte characters that could potentially allow attackers to perform SQL injection through sanitizing. It is interesting to note that these character sets are intended for use in a specific region of the world. Ways to fix this by forcing both the webserver and the SQL server to use the same character set exist, as this vulnerability only occurs when multiple (and different) character sets are in use. Those looking to do so may find this research interesting.